You have probably been told that public Wi-Fi is dangerous and that you should always use a VPN on it. That advice is partly right, but the risk is more specific than it is usually presented — and a VPN addresses some parts of it while having no effect on others.
Understanding what actually happens on a public network makes it easier to decide when a VPN is worth the effort and when it is not.
What public Wi-Fi actually exposes
When you connect to a public Wi-Fi network — in a café, airport, hotel, or library — your device joins a network shared with other people you do not know. The network itself is controlled by whoever runs it.
Two categories of risk follow from this. The first is passive monitoring: the network operator, or anyone with physical access to the router, can see the traffic passing through it. The second is active interception: a person on the same network can attempt to insert themselves between your device and the internet, redirecting or observing your traffic.
Both risks are real. How serious they are depends heavily on what traffic you are sending.
How HTTPS changed the picture
A decade ago, a large share of web traffic was sent in plaintext over HTTP. Anyone on the same network could read it in full — login forms, page content, session cookies.
Today, the overwhelming majority of websites use HTTPS, which encrypts traffic between your browser and the destination server. An observer on the same network — including the network operator — can see that you are connecting to a particular site, but cannot read the content of what you send or receive. Your login credentials, messages, and page content are protected by the encryption layer that HTTPS provides.
This does not mean public Wi-Fi is without risk. It means the nature of the risk has shifted. Traffic content is generally protected by HTTPS. What remains visible is connection metadata: which domains you are visiting, how often, and roughly when.
Where a VPN still adds value on public networks
A VPN on public Wi-Fi does two things that HTTPS alone does not.
First, it hides the domain names you are connecting to. Even on HTTPS connections, DNS queries and connection metadata can reveal which sites you are visiting. A VPN tunnels this traffic through an encrypted connection to the VPN server, so the local network — the router, the network operator, other devices on the network — sees only traffic going to the VPN server, not the domains behind it.
Second, it protects against certain active attacks where an attacker on the network attempts to intercept or redirect your traffic before your HTTPS connection is established. Some older attacks exploited the gap between opening a browser and a secure connection being negotiated. A VPN eliminates this gap by encrypting everything before it leaves your device.
These are genuine benefits on networks you do not control or trust.
What a VPN cannot protect on public Wi-Fi
A VPN does not protect you from threats that operate at a different layer.
If a site you visit has been compromised, or if you download something malicious, a VPN does not help. If you log into an account that has been set up to harvest your credentials, the VPN tunnels that connection without knowing the destination is hostile.
A VPN also does not protect against the network operator redirecting you to a fake login portal before the VPN connects. Some public networks require you to complete a captive portal login — accepting terms, sometimes entering an email address — before granting internet access. During that captive portal phase, your traffic is unprotected and goes through the network's own DNS and routing. Your VPN connects only after that step completes.
On mobile devices, apps that communicate outside the browser may not respect VPN routing depending on how the VPN is configured. Connections established by apps before the VPN was active may persist outside the tunnel.
What this means for you
For most general browsing on public Wi-Fi, HTTPS already provides meaningful protection for traffic content. A VPN adds privacy for connection metadata and a layer of defense against local network interception — both of which are reasonable things to want on a network you do not control.
The practical guidance is simple: connecting to your VPN before doing anything else on a public network is a low-effort habit that closes the gaps HTTPS leaves open. Waiting until you need it is less reliable than making it the first step.
Know that public Wi-Fi risks are real but bounded. The more alarming scenarios from a decade ago — passwords visible in plaintext to anyone with a packet sniffer — are largely obsolete on modern HTTPS-only sites. What remains is subtler and still worth addressing.
Public Wi-Fi is not a uniquely dangerous environment requiring extreme measures. It is an untrusted network that benefits from the same precautions you would apply to any network you do not control. A VPN is one of those precautions, alongside keeping software updated and being careful about which apps you use while connected.